Computer systems often contain valuable and/or sensitive information, control access to such information, or play an integral role in securing physical locations and assets. The security of information, assets and locations is only as good as the weakest link in the security chain, so it is important that computers reliably be able to distinguish authorized personnel from impostors. In the past, computer security has largely depended on secret passwords. Unfortunately, users often choose passwords that are easy to guess or that are simple enough to determine via exhaustive search or other means. When passwords of greater complexity are assigned, users may find them hard to remember, so may write them down, thus creating a new, different security vulnerability.
Various approaches have been tried to improve the security of computer systems. For example, in “have something, know something” schemes, a prospective user must know a password (or other secret code) and have (or prove possession of) a physical token such as a key or an identification card. Such schemes usually provide better authentication than passwords alone, but an authorized user can still permit an unauthorized user to use a system simply by giving the token and the secret code to the unauthorized user.
Other authentication methods rely on measurements of unique physical characteristics (“biometrics”) of users to identify authorized users. For example, fingerprints, voice patterns and retinal images have all been used with some success. However, these methods usually require special hardware to implement (e.g., fingerprint or retinal scanners; audio input facilities).
Techniques have been developed that permit computer users to be authenticated at machines without any special hardware. For example, U.S. Pat. No. 4,805,222 to Young et al. describes verifying the identity of an individual based on timing data collected while he types on a keyboard. Identification is accomplished by a simple statistical method that treats the collected data as an n-dimensional vector and computes the Euclidean distance between this vector and a reference vector. More sophisticated analyses have also been proposed. For example, U.S. Pat. No. 6,151,593 to Cho et al. suggests using a neural network to classify keystroke timing vectors as “like” or “unlike” a set of sample vectors, and U.S. Patent Application No. U.S. 2007/0245151 by Phoha et al. describes a specific neural-network-like method for creating keystroke dynamics templates from collected data, and using the templates to identify users.
The problem of comparing a biometric sample to a template or reference sample to determine whether the sample was produced by the same person who created the template or reference sample is a difficult one. Improved algorithms to produce biometric templates and to validate biometric samples may be useful in producing more accurate identifications with reduced false acceptance rates (“FAR”) and false reject rates (“FRR”).